This repository was archived by the owner on Jun 25, 2025. It is now read-only.
Correct handling of ATTEST_KEYs. #33
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
March 8, 2023 08:58
Also, tighten up the required certificate chain structure, to specify that the leaf certificate must be an attestation certificate, and that any attestation certificates after the leaf must be for ATTEST_KEYs.
carmenyh
reviewed
Jun 19, 2023
There was a problem hiding this comment.
Please rename to "cert_chain_without_attest_key_certs.pem"
| } | ||
|
|
||
| // Leaf certificate should contain the attestation record we're looking for. | ||
| final ParsedAttestationRecord retval = extractParsedAttestationRecord(certs.get(0)); |
There was a problem hiding this comment.
Change variable from "retval" to "attestationRecord"
| // aren't for ATTEST_KEYs, throw. | ||
| boolean foundNonAttestationCert = false; | ||
| for (X509Certificate cert : certs.stream().skip(1).collect(Collectors.toList())) { | ||
| final ParsedAttestationRecord record = extractParsedAttestationRecord(cert); |
There was a problem hiding this comment.
"record" to "intermediateAttestationRecord"
There was a problem hiding this comment.
Please include in the name what is actually wrong with this chain (does it try to assert an attestation after a non attest key cert? is the cert missing the attestation at the end?) and then add chains for the other failure conditions.
| // we find any attestations after the first non-attestation, or if we find any attestations that | ||
| // aren't for ATTEST_KEYs, throw. | ||
| boolean foundNonAttestationCert = false; | ||
| for (X509Certificate cert : certs.stream().skip(1).collect(Collectors.toList())) { |
There was a problem hiding this comment.
why not certs.listIterator(1)?
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Also, tighten up the required certificate chain structure, to specify that the leaf certificate must be an attestation certificate, and that any attestation certificates after the leaf must be for ATTEST_KEYs.